Everyone is running AI security in real time — even Google

I recently had the opportunity to sit down with Francis de Souza, COO of Google Cloud, backstage event in Los Angeles. Among the many things that surround us, de Souza, who speaks calmly, according to a university professor, gave practical advice to companies that are running the AI ​​security era that we all live in, noting that “there will be a time to change, so I think we will get to a better place.”

He wasn’t talking about Google at the time, but it’s clear that even Google is still finding things.

De Souza’s main message was one of the things security experts have been trying to get managers to work on for years, now made faster by AI: security can’t be an afterthought. “When companies start the AI ​​journey, they need to take a platform approach,” he said. “Security is not something you can put on the back burner, and it’s not something you can leave employees to do on their own.” He warned in particular about “shadow AI” – agents that access consumer devices without organizational supervision – and said that companies should seek security, governance, and accountability from their platforms from the beginning. “There is no AI strategy without a data strategy and a security strategy. They have to work together.”

Worth noting: he wasn’t installing Google Cloud himself. When I saw that his advice sounded like a Google ad, he backed off. Google, he said, was committed to a multi-channel approach, and he pointed out that companies that think they are working on a single cloud are not. “Even if they choose one cloud, relying on SaaS software, there are business partners who may be using different clouds,” he said. “It’s imperative that companies have consistent cloud security, across all platforms.”

He said the threat landscape has changed so much that old defenses are too slow. He added that the time interval between the first breach and the delivery of the next phase of the attack has decreased from eight hours to 22 seconds, and that the attack site is expanding beyond the boundaries of the network. “In addition to the places you always have, you have the models now. You have the pipelines that are used to train the models. You have the agents, you have the information. All of this has to be protected.”

One risk that de Souza doesn’t address enough: agents who go through the company’s internal system can lay forgotten caches that no one has thought about for years. “Many organizations have old SharePoint servers (and access controls) that haven’t really changed, but it didn’t matter because no one knew where they were.

The answer, in his opinion, is to meet machine speed with machine speed. “Now we’re seeing the emergence of AI-native, security systems where organizations can run agents that manage security,” he said. “Instead of having security led by people or even a person on the road, you can have people in charge of full security.” He added that this has become a leadership issue, not a technical one. “This is a community and community issue. It’s not just the security community.”

But even as AI takes over many defense jobs, the right people to oversee it are in short supply – and the vulnerabilities AI is introducing are growing more than security teams can handle. “We’re going to need people to deal with the bug-pocalypse,” LinkedIn chief security officer Lea Kissner said he told the New York Times this week, adding that he doesn’t expect the industry to understand AI security in any consistent way for several years.

Which brings us back to the platform providers themselves. The Register has published several reports in the past few weeks documenting the number of Google Cloud developers who have been hit with five bills following unauthorized API calls to Gemini models – many services they have never used or intentionally. The cases followed a familiar pattern: API keys sent to Google Maps, which were made public according to Google’s guidelines, had managed to get into Gemini after Google expanded its scope without properly disclosing the changes.

Rod Danan, CEO of interview-prep platform Prentis, said his earnings took a hit $10,138 in about 30 minutes after hackers used its hacked API key. Isuru Fonseka, a Sydney-based software developer whose account was hacked, woke up with charges of around AUD$17,000 despite believing he had $250 in cash. What he didn’t know was that Google’s automated system had raised their refund levels based on account history, raising their ceilings to $100,000 without prior permission.

Google retracted both after The Register published its first report. However, Google told The Register that it has no plans to change its privacy policy, saying it prioritizes preventing downtime by enforcing user preferences.

Meanwhile, there is a separate question about what happens when a developer tries to close things. The Register report this week In the research of the security company Aikido it is found that even the key generators that have been tampered with and removed immediately are not safe. According to Aikido’s findings, attackers can continue to use the key for up to 23 minutes as Google’s takedown gradually spreads across all of its devices. Aikido researcher Joseph Leon told The Register that in the same window, the interest rate cannot be determined – in a few minutes 90% of requests are still guaranteed – and attackers can use that time to extract files and save data saved from Gemini.

Leon also noted that Google’s new interface doesn’t seem to have the same problem: API service account credentials are cleared in about five seconds, and Gemini’s new AQ-prefixed interface takes about a minute. “Everything runs on a Google scale,” he wrote in a paper about Aikido. “They all indicate that this is also possible to decrypt Google API keys.” In short, according to Leon, the 23-minute window is not a technical problem but a critical one for the company.

This is worth considering when reading de Souza’s advice, which is good and should be taken very seriously. He did not make a mistake, but now there is a difference between platforms and products and how quickly they themselves change, and it is good to know this, too.